[nsp] Nachi WORM & ICMP floods of ICMP packets ..

Brian R. Watters brwatters at abs-internet.com
Fri Sep 5 09:07:35 EDT 2003


We have tried to use the rate limiting features however that along with any
policy routing just kills the edge routers, It appears the only real fix at
this time is to just drop the traffic via a ACL .. This of course is the
worse type of fix as it blinds us to our own network not to mention all of
the IT staff Offnet for our clients can no longer see there users via PING
and or Traceroute .. This solution SUCKS and Cisco has got to come up with a
better solution that ACL's for this issue .. 


Brian 

-----Original Message-----
From: Gert Doering [mailto:gert at greenie.muc.de] 
Sent: Friday, September 05, 2003 7:40 AM
To: Voll, Scott
Cc: brwatters at abs-internet.com; cisco-nsp at puck.nether.net
Subject: Re: [nsp] Nachi WORM & ICMP floods of ICMP packets ..

Hi,

On Thu, Sep 04, 2003 at 07:55:06AM -0700, Voll, Scott wrote:
> It got so bad on our network that 85% of traffic was ICMP.  We have 
> set up ACLs to deny ICMP until our customers can clean up there networks.

What we do is that we rate-limit incoming ICMP echo at our border routers.
This sucks, as we get now complaints "your network is loosing packets and my
customers complain about poor connectivity", but it sucks considerably less
than filtering all ICMP echo (meaning "no network diagnosis at all").

I'm not overly happy with that, though - it was meant to be put in place for
a couple of day, until the worst is over.  Now it's in place 2 weeks, and I
don't see a significant reduction in the number of dropped packets.

Bah.

gert
--
USENET is *not* the non-clickable part of WWW!
 
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
---
[Scanned for viruses & SPAM with safE-Mail by American Broadband Services]
---




More information about the cisco-nsp mailing list